System and method for securing virtualized networks

ABSTRACT

Systems and methods for securing a dynamic virtualized network are provided. According to one embodiment, a network policy of a dynamic virtualized network is received by an SDN controller of the dynamic virtualized network. The network policy includes network policy elements which each identify (i) an authorized endpoint, (ii) a network access device, and (iii) a port of the network access device with which the authorized endpoint is associated. A test network access device is selected from which test traffic is to be injected into the dynamic virtualized network. The test network access device is caused to inject the test traffic into the dynamic virtualized network. One or more errors in connection with handling of the test traffic by the dynamic virtualized network are identified by comparing a predicted result with the actual result of injection of the test traffic.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.14/555,441, filed on Nov. 26, 2016, which is a continuation of U.S.patent application Ser. No. 13/911,925, filed on Jun. 6, 2013, now U.S.Pat. No. 8,931,047, which is a continuation of U.S. patent applicationSer. No. 13/842,695, filed on Mar. 15, 2013, now U.S. Pat. No.8,931,046, which claims the benefit of priority of U.S. ProvisionalApplication No. 61/720,343, filed Oct. 30, 2012, all of which are herebyincorporated by reference in the entirety for all purposes.

COPYRIGHT NOTICE

Contained herein is material that is subject to copyright protection.The copyright owner has no objection to the facsimile reproduction ofthe patent disclosure by any person as it appears in the Patent andTrademark Office patent files or records, but otherwise reserves allrights to the copyright whatsoever. Copyright© 2012-2017, Fortinet, Inc.

BACKGROUND

Field

Embodiments of the present invention generally relate to data networkingand more particularly to securing access to a dynamic virtualizednetwork that is overlaid on a physical network.

Description of the Related Art

A virtualized network is a data network that is overlaid on the top ofanother network, such as a physical network. Network elements in theoverlaid network are connected by virtual or logical links, each ofwhich corresponds to a path, perhaps through many physical links, in theunderlying network. For example, a virtualized network is a combinationof hardware and software network resources that is a singleadministrative entity.

One example of a virtualized network is Virtual eXtensible Local AreaNetwork (VXLAN), where VXLAN is a layer 2 overlay over a layer 3physical network. Each VXLAN overlay network is known as a VXLAN segmentand is identified by a unique 24-bit segment ID called a VXLAN NetworkIdentifier (VNI). Virtual machines with the same VNI are allowed tocommunicate with each other over the corresponding VXLAN segment. In aVXLAN segment, virtual machines are uniquely identified by thecombination of Media Access Control (MAC) addresses and the VNI of thatsegment. A Virtual Tunnel Endpoint (VTEP) encapsulates data entering theVXLAN segment with the VNI and de-encaspulates the data traffic leavingthe VXLAN segment.

In addition, VXLAN uses multicast to transport virtual machineoriginated traffic such as unknown destination MAC packets, broadcasts,multicast or non-Internet Protocol (IP) traffic. Multicast is also usedfor endpoint discovery by the VTEPs. Physical switches further usemulticast snooping to build a map of the physical ports to multicastaddresses in use by the end clients.

The model used for VXLAN overlay network virtualization as well as othervirtualization models (e.g., Network Virtualization using GenericRouting Encapsulation (NVGRE), Stateless Transport Tunneling (STT),Overlay Transport Virtualization (OTV), etc.) use tunneling andencapsulation. In addition, these models use IP Multicast for learningnew network addresses in each virtual segment. This is calledconversational learning as this attempts to mimic the behavior of atraditional Ethernet network so that the instantiation of a virtualizednetwork does not require any changes to the host stacks. For example,traditional Ethernet Network Interface Controller (NIC) drivers,Transport Control Protocol (TCP)/IP stacks, etc., continue to work andthe deployment of a virtualized network is transparent to hosts andapplications.

The challenge with these conversational learning models is that theyrely upon relatively insecure methods of joining a virtualized segmentand there are no mechanisms in place that prevents source addressspoofing. For example, a rogue node in a multi-tenant cloud you can joinany tenant network, bypassing every firewall, and security appliancethey have in their data path.

SUMMARY

Systems and methods are described for securing a dynamic virtualizednetwork. According to one embodiment, a network policy of a dynamicvirtualized network is received by an SDN controller of the dynamicvirtualized network. The network policy includes network policy elementswhich each identify (i) an authorized endpoint, (ii) a network accessdevice, and (iii) a port of the network access device with which theauthorized endpoint is associated. A test network access device isselected from which test traffic is to be injected into the dynamicvirtualized network. The test network access device is caused to injectthe test traffic into the dynamic virtualized network. One or moreerrors in connection with handling of the test traffic by the dynamicvirtualized network are identified by comparing a predicted result withthe actual result of injection of the test traffic.

Other features of embodiments of the present disclosure will be apparentfrom accompanying drawings and from detailed description that follows.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example and notlimitation in the figures of the accompanying drawings in which likereferences indicate similar elements.

FIG. 1 is a block diagram of a system that includes dynamic virtualizednetworks overlaid on an underlay physical network in accordance with anembodiment of the present invention.

FIG. 2 is a block diagram of a system that includes dynamic virtualizednetworks overlaid on an underlay physical network, where the dynamicvirtualized networks include rogue nodes that can compromise one, some,or all of the VXLAN segments, in accordance with an embodiment of thepresent invention.

FIG. 3 is a block diagram of a system that includes a network automationengine that is used to secure the dynamic virtualized networks inaccordance with an embodiment of the present invention.

FIG. 4 is a flow diagram illustrating a process to secure a dynamicvirtualized network by learning a current network policy of thevirtualized networks and generating a network security policy for thesevirtualized networks in accordance with an embodiment of the presentinvention.

FIG. 5 is a flow diagram illustrating a process to determine a networksecurity policy for each affected network access device of a pluralityof network access devices in accordance with an embodiment of thepresent invention.

FIG. 6 is a flow diagram illustrating a process to test a security of anetwork policy of the dynamic virtualized network in accordance with anembodiment of the present invention.

FIG. 7 is a block diagram of network policy monitoring and enforcementmodule that secures and tests a dynamic virtualized network inaccordance with an embodiment of the present invention.

FIG. 8 is a block diagram of a network policy monitoring and enforcementmodule that secures a dynamic virtualized network in accordance with anembodiment of the present invention.

FIG. 9 is a block diagram of a network security policy determinationmodule that determines a network security policy for each affectednetwork access device of a plurality of network access devices inaccordance with an embodiment of the present invention.

FIG. 10 is a block diagram of a network policy testing module that testsa dynamic virtualized network in accordance with an embodiment of thepresent invention.

FIG. 11 illustrates one example of a typical computer system, which maybe used in conjunction with various embodiments of the presentinvention.

DETAILED DESCRIPTION

Systems and methods are described for securing and testing a dynamicvirtualized network. In the following description, numerous specificdetails are set forth to provide thorough explanation of embodiments ofthe present invention. It will be apparent, however, to one skilled inthe art, that embodiments of the present invention may be practicedwithout these specific details. In other instances, well-knowncomponents, structures, and techniques have not been shown in detail inorder not to obscure the understanding of this description.

Reference in the specification to “one embodiment” or “an embodiment”means that a particular feature, structure, or characteristic describedin connection with the embodiment can be included in at least oneembodiment of the invention. The appearances of the phrase “in oneembodiment” in various places in the specification do not necessarilyall refer to the same embodiment.

In the following description and claims, the terms “coupled” and“connected,” along with their derivatives, may be used. It should beunderstood that these terms are not intended as synonyms for each other.“Coupled” is used to indicate that two or more elements, which may ormay not be in direct physical or electrical contact with each other,co-operate or interact with each other. “Connected” is used to indicatethe establishment of communication between two or more elements that arecoupled with each other.

The processes depicted in the figures that follow, are performed byprocessing logic that comprises hardware (e.g., circuitry, dedicatedlogic, etc.), software (such as is run on a general-purpose computersystem or a dedicated machine), or a combination of both. Although theprocesses are described below in terms of some sequential operations, itshould be appreciated that some of the operations described may beperformed in different order. Moreover, some operations may be performedin parallel rather than sequentially.

The terms “server,” “client,” and “device” are intended to refergenerally to data processing systems rather than specifically to aparticular form factor for the server, client, and/or device.

A method and apparatus of a device that secures and tests a dynamicvirtualized network is described. In one embodiment, the device learns aVXLAN network policy from a software defined network controller and/orby snooping multicast join/leaves messages. Using this learned networkpolicy, the device determines which network access devices of thedynamic virtualized networks are affected by the VXLAN network policy.For each affected network access device, the device determines a networksecurity policy to help secures the dynamic virtualized network. Thedevice can construct multicast join filters to allow multicast groups tolearn the VNIs for authorized VTEP ports and drop other multicast joins,create access control lists (ACL) on ports that have VTEPs to passauthorized VNI-tagged traffic and drop other type of traffic, and/orcreate ingress ACLs drop VXLAN encapsulated traffic on ports that do nothave an attached VTEP. The device applies the network security policyfor each of the affected network access devices.

In another embodiment, the device tests the dynamic virtualized networkby injecting test traffic at one of the network access devices associatewith the dynamic virtualized network. The device determines whichnetwork access device to inject the test traffic and further predictsthe result of the test traffic injection. The device injects the testtraffic and monitors the dynamic virtualized network for the appearanceand non-appearance of the injected test traffic. If the results of theinjected test traffic are inline with the predicted results, the devicereports the test was a success. Otherwise, the device reports an error.

FIG. 1 is a block diagram of one embodiment of a system 100 thatincludes dynamic virtualized networks overlaid on an underlay physicalnetwork. In FIG. 1, two virtualized networks, VXLAN 114A-B, are overlaidon top of an underlying physical network 112. In another embodiment, avirtualized network can be overlaid on top of another virtualizednetwork. In one embodiment, this physical network 112 is a network thatincludes network access devices 104A-B that interconnects other networkaccess devices 106A-D. In one embodiment, network access devices 106A-Bis coupled to network access device 104A. Network access device 104A isfurther coupled to network access device 104B, which is in turn coupledto network access device 106A-B. In one embodiment, a network accessdevice is a device that provides network access to a network (e.g.,physical network, virtualized network, etc.). A network access devicecan be a switch, router, hub, bridge, gateway, etc., or any type ofdevice that can allow access to a network. While in one embodiment theinterconnection between the different network access devices is a wiredconnection (e.g., copper, fiber, etc., and/or a combination thereof), inalternate embodiments, a different type of interconnection is used(e.g., wireless, a combination of wireless and wired, etc.). In oneembodiment, the physical network 112 is layer 3 network, in which thenetwork access devices 104A-B and 106A-D are communicating data using alayer 3 protocol (e.g., Internet Protocol (IP), Asynchronous TransferMode (ATM), etc.) or a combination of layer 3 protocol and another layerprotocol (e.g., Ethernet switching, Infiniband, Ethernet routing,multiprotocol layer switching (MPLS), Synchronous Optical Networking(SONET), Satellite networking protocols, etc.). For example and in oneembodiment, the physical network 112 is a layer 3 IP networkinterconnected by copper and/or fiber Ethernet connections. While in oneembodiment, network access devices 104A-B are connected by a local areanetwork (LAN), in alternate embodiments the coupling between the networkaccess devices 104A-B is different (e.g. coupled by multiple links thathave the same or different physical media and protocols, coupled a widearea network, etc.).

In FIG. 1, two VXLAN segments 114A-B are overlaid the physical network112. As described above, each VXLAN segment 114A-B is a layer 2 overlayover a layer 3 physical network. Each VXLAN segment is identified by aunique 24-bit segment ID called a VXLAN Network Identifier (VNI).Virtual machines with the same VNI are allowed to communicate with eachother over the corresponding VXLAN segment. Virtual machines that arecoupled to the VXLAN segment are identified uniquely by the combinationof their MAC addresses and VNI. A Virtual Tunnel Endpoint (VTEP)encapsulates data entering the VXLAN segment and de-encaspulates thedata traffic leaving the VXLAN segment. In one embodiment, each VTEPenforces a network security policy to the network data beingcommunicated through that VTEP. In one embodiment, a network automationengine generates and applies a network security policy for each VTEP asdescribed with reference to FIG. 3 below.

In one embodiment, the network access device 106A-D includes the VTEPs108A-H that are used encapsulate/de-encapsulate network datacommunicated with virtual machines (VM) 110A-H. In one embodiment, avirtual machine is a software implementation of a machine (e.g. acomputer, switch, etc.) that executes programs like a physical machine.The virtual machine can be a system virtual machine that provides avirtualized operating system platform to run one or more applications(e.g., hardware virtualization). In another embodiment, the virtualmachine represents a plurality of virtual machines that are coupled tothe same VXLAN segment via the same VTEP. In a further embodiment, thevirtual machine represents one or more physical and/or virtual devicesthat communicate network data through the corresponding VTEP (e.g., theVM could represent a physical device, a switch or other network accessdevice, a firewall, etc. and/or a combination thereof).

In one embodiment, the Software Defined Network (SDN) controller 102 isa device that has the VTEP configurations for each VXLAN segment. In oneembodiment, the VTEP configuration includes which VTEPs are authorizedfor each VXLAN segment and where the VTEPs are located (e.g., the portand network access device where that VTEP is located).

In addition, VXLAN segments 114A-B use multicast to transport virtualmachine originated traffic such as unknown destination MAC packets,broadcasts, multicast or non-IP traffic. In addition, multicast is usedfor endpoint discovery by the VTEPs. Physical switches further usemulticast snooping to build a map of the physical ports to multicastaddresses in use by the end clients.

While in one embodiment, there are two VXLAN segments 114A-B illustratedin FIG. 1, in alternate embodiments, there can more or less VXLANsegments. In one embodiment, VXLAN segment 114A couples VMs 110A, 110B,110F, and 110G so that these VMs can communicate using a layer 2protocol. In this embodiment, VMs 110A-B couple to network access device106A via VTEP 108A-B, respectively. In addition, VM 110F couples tonetwork access device 106C via VTEP 108F and VM 110G couples to networkaccess device 106D via VTEP 108G. By coupling VMs 110A, 110B, 110F, and110G using VXLAN segment 114A, these VMs can communicate using a layer 2protocol over a local or wide area network.

In one embodiment, the VMs 110A, 110B, 110F, and 110G dynamically coupleto the VXLAN segment 114A using a corresponding VTEPs 108A, 108B, 108F,and 108G. In this embodiment, as one of the VMs 110A, 110B, 110F, and110G is provisioned, that VM couples to the corresponding VTEP. ThatVTEP discovers the newly provisioned VM and allows the provisioned VM tocommunicate on that VXLAN segment. In one embodiment, the network datacommunicated using VXLAN segment 114A is encapsulated with a header thatincludes the VNI associated with VXLAN segment 114A.

In one embodiment, the VXLAN segment 114A is dynamic because the VMscoupled to the VXLAN segment can join or leave the VXLAN segment using amulticast join or leave message. For example and in one embodiment, VM110A joins the VXLAN segment 114A by sending an IGMP join message to theSDN controller 102. In response, network access devices 106A and 104A,and SDN controller 102 save information in the respective tables that VM110A is part of VXLAN segment 114A.

In one embodiment, VXLAN segment 114B couples VMs 110C, 110D, 110E, and110H so that these VMs can communicate using a layer 2 protocol. In thisembodiment, VMs 110C-D couple to network access device 106B via VTEP108C-D, respectively. In addition, VM 110E couples to network accessdevice 106C via VTEP 108E and VM 110H couples to network access device106D via VTEP 108H. By coupling VMs 110C, 110D, 110E, and 110H usingVXLAN segment 114B, these VMs can communicate using a layer 2 protocolover a local or wide area network. In addition, VMs 110C, 110D, 110E,and 110H dynamically couple to the VXLAN segment 114B. In oneembodiment, the network data communicated using VXLAN segment 114B isencapsulated with a header that includes the VNI associated with VXLANsegment 114B.

In one embodiment and similar to VXLAN segment 114A, the VXLAN segment114B is a dynamic virtualized network because the VMs coupled to thisVXLAN segment 114B can join or leave this VXLAN segment using amulticast join or leave message. For example and in one embodiment, VM110C joins the VXLAN segment 114B by sending an IGMP join message to theSDN controller 102. In response, network access devices 106A and 104Band SDN controller 102 save information in the respective tables that VM110A is part of VXLAN segment 114A.

In the VXLAN segments 114A-B illustrated in FIG. 1, some of the networksaccess devices 104A-B and 106 A-D participate in one or both of theVXLAN segments. For example and in one embodiment, network access device106A and 106B participate in one VXLAN segment (VXLAN segments 114A and114B, respectively). In addition, network access devices 104A-B and106C-D participate in both VXLAN segments 114A-B. In one embodiment,network access device 104A-D include VTEPs 108A-H toencapsulate/de-encapsulate network data being communicated with therespective VMs 108A-H. In one embodiment, the network access devices106A-B communicate VXLAN encapsulated traffic for both VXLAN segments114A-B, but neither of these network access devices includes a VTEP usedto couple to a VM. In this embodiment, network access devices 106A-B areused to transit VXLAN segment network data between the corresponding VMs108A-H and is not used to terminate a VXLAN segment.

While the VXLAN segments 114A-B, as illustrated, can communicate networkdata between the VMs that are part of the corresponding VXLAN, thesecurity of the VXLAN segments 114A-B is only as good as the security ofeach device that participates in the VXLAN segment. For example and inone embodiment, if there is a compromise at any of the network elements(e.g., network access device and/or SDN Controller), then one, some, orall of the VXLAN segments can be compromised. In addition, if one VXLANsegment is compromised, because some of the network access devices mayparticipate in more than one VXLAN segment and/or the SDN controller,other VXLAN segment can be compromised as well. While the system 100 inFIG. 1 is described in reference a VXLAN network, the inventiondescribed herein can be used for other virtualized networks (e.g.,NVGRE, STT, and OTV).

FIG. 2 is a block diagram of one embodiment of a system 200 thatincludes dynamic virtualized networks 214A-B overlaid on an underlyingphysical network 212, where the dynamic virtualized networks includerogue nodes 202A-B that can compromise the some or all of the VXLANsegments 214A-B. In FIG. 2, the underlying network 212 and VXLANsegments 214A-B are similar physical network 112 and VXLAN segments114A-B as described with reference to FIG. 1 above. In one embodiment,the underlying network includes network access device 204A that iscoupled to network access devices 204B and network access devices206A-B. In addition, network access device 204B is coupled to networkaccess devices 206C-D. As in FIG. 1, underlying network 212 can be alayer 3 network or a mixture of layer 2 and 3 networks. Overlaid onnetwork 212 is VXLAN segments 214A-B. In one embodiment, VXLAN segment214A couples VMs 210A, 210B, 210F, and 210G so that these VMs cancommunicate using a layer 2 protocol. In this embodiment, VMs 210A-Bcouple to network access device 206A via VTEP 208A-B, respectively. Inaddition, VM 210F couples to network access device 206C via VTEP 208Fand VM 210G couples to network access device 206D via VTEP 208G. Bycoupling VMs 210A, 210B, 210F, and 210G using VXLAN segment 214A, theseVMs can communicate using a layer 2 protocol over a local or wide areanetwork. In one embodiment, the network data communicated using VXLANsegment 214A is encapsulated with a header that includes the VNIassociated with VXLAN segment 214A.

In one embodiment, VXLAN segment 214B couples VMs 210C, 210D, 210E, and210H so that these VMs can communicate using a layer 2 protocol. In thisembodiment, VMs 120C-D couple to network access device 206B via VTEP208C-D, respectively. In addition, VM 120E couples to network accessdevice 206C via VTEP 208E and VM 120H couples to network access device206D via VTEP 208H. By coupling VMs 210C, 210D, 210E, and 210H usingVXLAN segment 214B, these VMs can communicate using a layer 2 protocolover a local or wide area network. In one embodiment, the network datacommunicated using VXLAN segment 214B is encapsulated with a header thatincludes the VNI associated with VXLAN segment 214B. In addition, system200 includes a SDN controller 202 that is a device that includes theVTEP configurations for each VXLAN segment.

Unlike in FIG. 1, in FIG. 2, the network 200 includes two rogue nodes202A-B that may compromise VXLAN segments 214A-B. In one embodiment, therogue node can be a virtual machine that couples to one on the networkaccess devices. In another embodiment, the rogue node can be a physicalnode that couples to the network access device. In one embodiment, arogue node can result from a software exploit, an attack by a hacker,error in cabling, configuration error, operator error, etc., and/or acombination thereof. In one embodiment, in a regulated industry, theappearance of a rogue node can cause a compliance violation even thoughthe rogue node does not appear maliciously. For example and in oneembodiment, a rogue node could arise because a server that can host oneor more virtual machines is exploited and a new, unauthorized virtualmachine is created and provisioned. In one embodiment, rogue device 216Ais coupled to network access device 206C, where the rogue node 216Acouples to a network access device 206C that include one or more VTEPs(e.g. VTEPs 208E-F). In one embodiment, rogue device 216B is coupled tonetwork access device 204B, where the rogue node 216B couples to anetwork access device 204B that does not include a VTEP and is used totransit VXLAN encapsulated network data.

In one embodiment, if a rogue node (e.g., 216A or 216B) can compromiseone or more of the VXLAN segments 214A-B, the rogue node is anunauthorized virtual machine that can have access to the either or bothVXLAN segments 216A-B. For example and in one embodiment, the rogue nodecan mirror network data to another port, monitor the network data tosteal/copy, compromise other nodes in that VXLAN segment, injectundesired network data into that VXLAN segment (e.g., injecting networkdata to deny services, etc.), etc., and/or a combination thereof.

As described above, the VXLN segments 214A-B of FIG. 2 can becompromised by rogue nodes 216A-B because the VXLAN model relies on arelatively insecure model of joining a VXLAN segment. FIG. 3 is a blockdiagram of one embodiment of a system 300 that includes a networkautomation engine 318 that is used to secure the dynamic virtualizednetworks. In one embodiment, the underlying network 312 and VXLANsegments 314A-B are similar as described with reference to FIG. 1 above.In one embodiment, the underlying network 312 includes network accessdevice 304A that is coupled to network access devices 304B and networkaccess devices 306A-B. In addition, network access device 304B iscoupled to network access devices 306C-D. As in FIG. 1, underlyingnetwork 312 can be a layer 3 network or a mixture of layer 2 and 3networks. Overlaid on network 312 is VXLAN segments 314A-B. In oneembodiment, VXLAN segment 314A couples VMs 310A, 310B, 310F, and 310G sothat these VMs can communicate using a layer 2 protocol. In thisembodiment, VMs 310A-B couple to network access device 306A via VTEP308A-B, respectively. In addition, VM 310F couples to network accessdevice 306C via VTEP 308F and VM 310G couples to VTEP 308G on networkaccess device 306D. By coupling VMs 310A, 310B, 310F, and 310G usingVXLAN segment 314A, these VMs can communicate using a layer 2 protocolover a local or wide area network. In one embodiment, the network datacommunicated using VXLAN segment 314A is encapsulated with a header thatincludes the VNI associated with VXLAN segment 314A.

In one embodiment, VXLAN segment 314B couples VMs 310C, 310D, 310E, and310H so that these VMs can communicate using a layer 2 protocol. In thisembodiment, VMs 310C-D couple to network access device 306B via VTEP308C-D, respectively. In addition, VM 310E couples to network accessdevice 306C via VTEP 308E and VM 310H couples to VTEP 308H on networkaccess device 306D. By coupling VMs 310C, 310D, 310E, and 310H usingVXLAN segment 314B, these VMs can communicate using a layer 2 protocolover a local or wide area network. In one embodiment, the network datacommunicated using VXLAN segment 314B is encapsulated with a header thatincludes the VNI associated with VXLAN segment 314B. In addition, system300 includes a SDN controller 302 that is a device that includes theVTEP configurations for each VXLAN segment.

In one embodiment, system 300 include two rogue nodes 316A-B that areunauthorized nodes attempting to compromise either one or both of theVXLAN segments 314A-B. In one embodiment, the rogue nodes 316A-B aresimilar to rogue nodes 216A-B as described with reference to FIG. 2above. In order to assist in preventing a compromise of one or both ofthe VXLAN segment, system 300 includes a network automation engine (NAE)318 that learns the current network policy of the VXLAN segments 314A-Band determines a network security policy that can help further securethese VXLAN segments. For example and in one embodiment, NAE 318constructs multicast join filters to allow multicast groups to learn theVNIs for authorized VTEP ports and drop other multicast joins, createaccess control lists (ACL) on ports that have VTEPs to pass authorizedVNI-tagged traffic and drop other type of traffic, and/or create ingressACLs drop VXLAN encapsulated traffic on ports that do not have anattached VTEP. Furthermore, NAE 318 applies this network security policyfor each network access devices that is affected by the network securitypolicy. In one embodiment, the current and security network policiesincludes a different set of network policy elements and the set ofnetwork policy elements for the network security policy does not includea network policy element that is include in the current network policyset of network policy elements. In one embodiment, the current networkpolicy includes VTEP configurations that identify the authorized VTEPsand port location. In one embodiment, a network policy element is aninstruction that determines how a port of network access deviceprocesses a certain type of network data.

In one embodiment, by having a multicast join filter for a port of oneof the network access devices 304A-B and/or 306A-D allows the networkaccess device 304A-B and/or 306A-D to drop multicast join requests thatare on ports that do not have an associated VTEP. This type of networkpolicy can deny a rogue node from joining a VXLAN segment on a networkattached device port that does not have an authorized VTEP. In addition,a multicast filter can be used to pass a multicast join with a VNI thatmatches the authorized VTEP VNI and drop a multicast join that has amismatching VNI. For example and in one embodiment, if network accessdevice 306C has a policy on the port coupled to the rogue node 316A tofilter an IGMP join on that port because that port does not have anauthorized VTEP, the rogue node could not join either VXLAN segment314A-B. In another example and another embodiment, network access device306A can have a network policy for the port associated with VTEP 308A topass a multicast join with a VNI that matches the VNI of the VTEP 308Aand drop a multicast join with a VNI that does not match the VNI of thatVTEP 308A. Thus, the multicast join filter prevents a rogue node fromjoining on a port that is not authorized to have a VTEP or a multicastjoin with a mismatching VNI.

In one embodiment, by having an ACL on a port that has an authorizedVTEP, where the ACL passes/drops network data with/without a VNI of theauthorized VTEP, the ACL allows a network access device to block networkdata that does not have this VNI. This, in effect, restricts this portto communicate the network data of the associated VXLAN segment. In oneembodiment, this type of ACL prevents an authorized member of one VXLANsegment transmitting network data for this VXLAN segment into anotherVXLAN segment. In addition, this type of ACL further prevents a VM thatis not authorized for a VXLAN segment from receiving network data via aVTEP that terminates that VXLAN segment.

In one embodiment, by having an ingress ACL on ports that do not have anauthorized VTEP to drop VXLAN encapsulated traffic prevents anunauthorized VM from injecting network data into the VXLAN segment datatraffic. In addition, this type of ACL can prevent source addressspoofing. Furthermore, this type of ACL can prevent an unauthorized VMfrom injecting traffic into the VXLAN control plane (e.g. transmissionof unauthorized IGMP join/leave messages). In one embodiment, anunauthorized VM injecting unauthorized IGMP join/leave messages canaffect any and all VXLAN segments.

In one embodiment, the NAE 318 applies this network security policy tothe affected network access device via a system management network 322.In this embodiment, the system management network is an out-of-bandnetwork that is used by the NAE 318 to manage the network access devices304A-B and/or network access devices 306A-D. The NAE 318 sends commandsto these network access devices 304A-B and/or 306A-D via the systemmanagement network 322 and can receive information from these devicesover the same network 322. Securing the VXLAN segments is described infurther detail below with reference to FIGS. 4-5.

In one embodiment, the NAE 318 can test the VXLAN segments to determineif there is a problem with the configuration and/or topology of one,some, or all of the VXLAN segments. In this embodiment, the NAE 318injects test traffic at one of the network access devices and monitorsthe network access devices on the system 300 for the appearance and/orthe lack of appearance of the test traffic. In one embodiment, NAE 318learns the VXLAN network policy, determines which network access deviceto inject test traffic, and predicts the results of test trafficinjection. NAE 318 further injects the test traffic and monitors thenetwork access devices for the appearance of the test traffic. If thetest shows any errors, the NAE 318 reports the errors.

In one embodiment, the test traffic injected by the NAE 318 is VXLANencapsulated test traffic with a particular VNI. In this embodiment, theinjected test traffic should appear at network access devices that arepart of the VXLAN segment that has the same VNI as the VXLANencapsulated test traffic. In addition, this VXLAN encapsulated testtraffic should not appear at network access device that do notparticipate in that VXLAN segment. For example and in one embodiment, ifthe NAE 318 injects VXLAN encapsulated test traffic with the VNI ofVXLAN segment 314A at network access device 304A, the VXLAN encapsulatedtest traffic should appear at network access devices 304A-B, 306A, 306C,and 306D, but should not appear at network access device 306B. Inanother embodiment, if an error is shown in the test, NAE 318 can takecorrective action to try to address the error shown in the test. In oneembodiment, the NAE 318 takes corrective action by determining andapplying a network security policy as described above. Testing the VXLANsegments is described further below with reference to FIG. 6 below.

In another embodiment, the NAE 318 is part of the SDN Controller 302. Inthis embodiment, the NAE 318 can communicate with the network accessdevices 304A-B and 306A-D via the system management network 322 and/orvia the underlying network 312. In one embodiment, the NAE 318 includesnetwork policy monitoring and enforcement module 320 to secure and testthe VXLAN segments. While the system 300 in FIG. 1 is described withreference to a VXLAN network, the invention described herein can be usedfor other virtualized networks (e.g., NVGRE, STT, and OTV).

FIG. 4 is a flow diagram of one embodiment of a process 400 to secure adynamic virtualized network by learning a current network policy of thevirtualized networks and generating a network security policy for thesevirtualized networks. In one embodiment, the network automation engineperforms process 400 to secure a virtualized network, such as NAE 318 ofFIG. 3 above. In FIG. 4, process 400 begins by learning a current VXLANnetwork policy at block 402. In one embodiment, the current VXLANnetwork policy identifies authorized VTEPs and which port of whichnetwork access devices has an authorized VTEP. In one embodiment,process 400 learns the current network policy from a SDN controller,such as SDN controller 302 as described above with reference to FIG. 3.In one embodiment, the current network policy includes a plurality ofnetwork policy elements, where each network policy elements for thecurrent network policy identify an authorized VTEP and location of thatVTEP (e.g., which port of which network access device has that VTEP). Inanother embodiment, process 400 learns of the VXLAN network policy bysnooping on multicast conversations. For example and in one embodiment,process 400 determines the authorized VTEPs and port location bysnooping on which IGMP joins/leaves are being transmitted in the VXLANsegments. In one embodiment, process 400 can build a running tally ofwhich VMs are on each VXLAN segment. In addition, process 400 cancompare this running tally with the configured set of VTEPs and ports.In one embodiment, process 400 can initially learn the VXLAN currentnetwork policy, learn this network policy at periodic intervals, inresponse to an event, etc.

At block 404, process 400 identifies the network access devices that areaffected by the current network policy. In one embodiment, the affectednetwork access devices are the network access devices that participatein one or more VXLAN segments. For example and in one embodiment,network access devices 304A-B and 306A-D as illustrated in FIG. 3 arethe network access devices affected by the current network accesspolicy.

Process 400 determines a network security policy for each of theaffected network access device(s) at block 406. In one embodiment, thenetwork security policy is a set of network policy elements that areused to secure ports of the affected network access devices. For exampleand in one embodiment, a network policy element for the network securitypolicy can be a multicast join filter to allow multicast groups to learnthe VNIs for an authorized port and drop other multicast joins, createaccess control lists (ACL) on a port that has an VTEP to pass authorizedVNI-tagged traffic and drop other types of traffic, and/or createingress ACLs to drop VXLAN encapsulated traffic on a port that does nothave an attached VTEP. In one embodiment, there is a network securitypolicy for each affected network device and this network security policymay be the same and/or different for different network access devices.Determining a network security policy is described further below withreference to FIG. 5.

At block 408, process 400 applies the network security policy for eachaffected network access device. In one embodiment, process 400 appliesthe network security policy by sending a set of commands to implementthe network security policy. For example and in one embodiment, thecommands can be applied to the target network access device using anetwork management protocol (e.g., Simple Network Management Protocol(SNMP), Simple Object Access Protocol (SOAP), Representational StateTransfer type Application Programming Interface (RESTful API), HypertextTransfer Protocol (HTTP), HTTP over Secure Sockets layer (HTTPs),Network Configuration Protocol (NetConf), Secure Shell (SSH), commandline interface, etc.).

Process 400 monitors the VXLAN segments for new VXLAN membershipsconversations at block 410. In one embodiment, process 400 monitors theVXLAN segments for a change in the VXLAN membership. For example and inone embodiment, process 400 snoops for IGMP join/leave messages thatindicate whether a VM has joined or left a VXLAN segment. At block 412,process 400 determines if there is a change in the VXLAN membership. Ifthere is, process 400 adds the change in membership to the currentnetwork policy and execution proceeds to block 404 above. If not,execution proceeds to block 410 above.

As described above, process 400 determines a network security policy forthe affected network access devices. FIG. 5 is a flow diagram of oneembodiment of a process 500 to determine a network security policy foreach affected network access device of a plurality of network accessdevices. In one embodiment, process 400 performs process 500 todetermine a network security policy for the affected network accessdevices at block 406 in FIG. 4 above. In FIG. 5, process 500 begins byperforming a processing loop (blocks 502-516) to determine a networksecurity policy for each affected network access device. At block 504,process 500 determines if a multicast join filter should be created forthe one or more ports of that network access device. In one embodiment,the multicast join filter drops the multicast join on a port that doesnot have an authorized VTEP, drops the multicast join on a port thatdoes have an authorized VTEP and the multicast join does not have a VNIof that authorized VTEP, and/or passes the multicast join on a port thathas an authorized VTEP and the multicast join has the VNI of thatauthorized VTEP. In one embodiment, the multicast join filter is createdfor ports of network access device that participate in one or more VXLANsegments. In one embodiment, the multicast join filter filters IGMP joinpackets. If the multicast join filter is to be created, at block 506,process 500 creates the multicast join filter for one, some, or all ofthe ports of that network access device. While in one embodiment, themulticast join filter is applied to each port of the network accessdevice, in alternate embodiments, the multicast join filter is appliedto some of the ports of the network access device (e.g., applied toports that are up, ports that are not devoted solely to a systemmanagement network, etc.) Execution proceeds to block 508. If themulticast join filter is not to be created, execution proceeds to block508.

At block 508, process 500 determines if a VNI ACL is to be created forthat network access device. In one embodiment, a VNI ACL passesVXLAN-encapsulated traffic on a port that has a VTEP to pass authorizedVNI-tagged traffic and drop other types of traffic. In one embodiment,this ACL is created for ports on the network access device that is usedto restrict ports to specific VXLAN-encapsulated network data. Forexample and in one embodiment, the port on network access device 306Athat couples to network access device 304A could have the network datato be communicated be restricted to VXLAN-encapsulated with the same VNIas the VNI for VXLAN segment 314A. If the VNI ACL is to be created forone or more ports of the network access device, at block 510, process500 creates the VNI ACLs for the appropriate ports of that networkaccess device. While in one embodiment, the VNI ACL is applied to eachport of the network access device, in alternate embodiments, the VNI ACLis applied to some of the ports of the network access device (e.g.,applied to ports associated with a VTEP, etc.) Execution proceeds toblock 512. If the VNI ACL is not to be created, execution proceeds toblock 512.

At block 512, process 500 determines if an ingress ACL to drop VXLANencapsulated traffic on a port that does not have an attached VTEP is tobe created. In one embodiment, this type of ACL is used to denyVXLAN-encapsulated traffic from entering a VXLAN segment on a portwithout an authorized VTEP associated with that port. For example and inone embodiment, process 500 creates this ingress ACL on ports of thenetwork access device that do not have an associated VTEP. If theingress ACL is to be created for one or more ports of the network accessdevice, at block 514, process 500 creates the ingress ACLs for theappropriate ports of that network access device. While in oneembodiment, the ingress ACLs is applied to each port of the networkaccess device, in alternate embodiments, the ingress ACLs is applied tosome of the ports of the network access device (e.g., applied to portsthat are up, ports that are not devoted to a system management network,etc.) Execution proceeds to block 516. If the ingress ACL is not to becreated, execution proceeds to block 516. The processing loop ends atblock 516.

As described above, the NAE can secure that virtualized network as welltest this virtualized network for a problem with the configurationand/or topology of one, some, or all of the VXLAN segments. FIG. 6 is aflow diagram of one embodiment of a process 600 to test a security of anetwork policy of the dynamic virtualized network. In one embodiment,the network automation engine to secure a virtualized network, such asNAE 318 described above with reference to FIG. 3, performs process 600.In FIG. 6, process 600 begins by learning the VXLAN network policy atblock 602. In one embodiment, the current VXLAN network policyidentifies authorized VTEPs and which port of which network accessdevices have an authorized VTEP. In one embodiment, process 600 learnsthe current network policy from a SDN controller, such as SDN controller302 as described above with reference to FIG. 3. In one embodiment, thecurrent network policy includes a plurality of network policy elements,where each network policy elements for the current network policyidentify an authorized VTEP and location of that VTEP (e.g., which portof which network access device has that VTEP). In another embodiment,process 600 learns of the VXLAN network policy by snooping on multicastconversations. For example and in one embodiment, process 400 determinesthe authorized VTEPs and port location by snooping on which IGMPjoins/leaves are being transmitted in the VXLAN segments. In oneembodiment, process 400 can build a running tally of which VMs are oneach VXLAN segment. In addition, process 400 can compare this runningtally with the configured set of VTEPs and ports. In one embodiment,process 600 can initially learn the VXLAN current network policy, learnthis network policy at periodic intervals, in response to an event, etc.

At block 604, process 600 determines which network access device toinject test traffic into the one or more VXLAN segments. In oneembodiment, process 600 determines which network access device to injecttest traffic based on the network policy of network access devicesand/or the topology of the physical and/or virtualized networks. In oneembodiment, process 600 determines to inject the test traffic in anetwork access device that participates in a single VXLAN segment. Inanother embodiment, process 600 determines to inject the test traffic ina network access device that participates in multiple or no VXLANsegments.

Process 600 predicts the result of the test traffic injection at block606. In one embodiment, the test traffic injected by process 600 isVXLAN encapsulated test traffic with a particular VNI. In thisembodiment, the injected test traffic should appear at network accessdevices that are part of the VXLAN segment that has the same VNI as theVXLAN encapsulated test traffic. In addition, this VXLAN encapsulatedtest traffic should not appear at network access device that does notparticipate in that VXLAN segment. For example and in one embodiment, ifprocess 600 injects VXLAN encapsulated test traffic with the VNI ofVXLAN segment 314A at network access device 304A, the VXLAN encapsulatedtest traffic should appear at network access devices 304A-B, 306A, 306C,and 306D, but should not appear at network access device 306B.

At block 608, process 600 injects the test traffic at the network accessdevice determined at block 604 above. In one embodiment, process 600injects VXLAN-encapsulated test traffic at a particular network accessdevice. For example and in one embodiment, process 600 injectsVXLAN-encapsulated test traffic that has VNI A into a VXLAN segmentidentified with VNI B. In one embodiment, the test traffic includes apacket with specially marked payload that indicates that the packet istest traffic.

Process 600 monitors the network access devices for the appearance andnon-appearance of the test traffic at block 610. In one embodiment,process 600 monitors the test traffic by monitoring the network accessdevices for a reported error. For example and in one embodiment, process600 injects VXLAN-encapsulated test traffic that has VNI A into a VXLANsegment identified with VNI B. In this example, process 600 monitors thenetwork access devices associated with VXLAN segment with the VNI B foran error (e.g., an alert, a log entry, bump in a statistic that tracksif illegal VXLAN traffic was dropped, etc.).

At block 612, process 600 determines if the test shows any errors. Inone embodiment, if the test traffic appearance and/or non-appearance isthe same as the prediction of the test traffic injection determined atblock 606, the test is successful with no errors. In another embodiment,if the test traffic does not appear as predicted and/or the test trafficappears contrary to the prediction, the test shows an error. If thereare no errors, process 600 reports a successful test at block 614. Ifthere are errors in the test, process 600 reports the test errors atblock 616. At block 618, process 600 determines whether to takecorrective action based on the reported errors. In one embodiment,corrective action that can be taken is terminating the VXLAN segment,disconnecting one or more specific ports of one or more network accessdevices, adding a source specific ACL that blocks certain hosts and/orports, etc. and/or a combination thereof. If a corrective action istaken, at block 620, process 600 performs the corrective action. In oneembodiment, process 600 determines and applies a network security policyas described above with reference to FIG. 4. If no corrective action isto be taken, process 600 does not perform any corrective action at block622.

FIG. 7 is a block diagram of network policy monitoring and enforcementmodule 320 that secures and tests a dynamic virtualized network. In FIG.7, network policy monitoring and enforcement module 320 includes networkpolicy enforcement module 702 and network policy testing module 704. Inone embodiment, the network policy enforcement module 702 secures theoverlaid virtualized network as described above with reference to FIG.4. The network policy testing module 704 tests the overlaid virtualizednetwork as described above with reference to FIG. 6.

FIG. 8 is a block diagram of a network policy enforcement module 702that secures a dynamic virtualized network. In FIG. 8, the networkpolicy enforcement module 702 includes a learn network policy module802, identify network access device module 804, security determinationmodule 806, apply network security policy module 808, and monitornetwork module 810. In one embodiment, the learn network policy module802 learns the current network policy as described above with referenceto FIG. 8, block 802. The identify network access device module 804identifies the affected network access devices as described above withreference to FIG. 8, block 804. The network security policydetermination module 806 determines a network security policy asdescribed above with reference to FIG. 8, block 806. The apply networksecurity policy module 808 applies the network security policy asdescribed above with reference to FIG. 8, block 808. The monitor networkmodule 810 monitors the network as described above with reference toFIG. 8, block 810.

FIG. 9 is a block diagram of a network security policy determinationmodule 806 that determines a network security policy for each affectednetwork access device of a plurality of network access devices. In oneembodiment, the network security policy determination module 806includes multicast join filter determination module 902, createmulticast join filter module 904, ID ACL determination module 906,create ID ACL module 908, ingress ACL determination module 910, andcreate ingress ACL module 912. In one embodiment, the multicast joinfilter determination module 902 determines if a multicast join filter isto be created as described above with reference to FIG. 5, block 504.The create multicast join filter module 904 creates the multicast joinfilter as described above with reference to FIG. 5, block 506. The IDACL determination module 906 determines if a VNI ACL is to be created asdescribed above with reference to FIG. 5, block 508. The create ID ACLmodule 908 creates the VNI ACL as described above with reference to FIG.5, block 510. The ingress ACL determination module 910 determines if aningress ACL should be created as described above with reference to FIG.5, block 512. The create ingress ACL module 912 creates the ingress ACLas described above with reference to FIG. 5, block 514.

FIG. 10 is a block diagram of a network policy testing module 704 thattests a dynamic virtualized network. In FIG. 10, network policy testingmodule 704 include learn network policy module 1002, network accessdevice test determination module 1004, predict test result module 1006,inject test traffic module 1008, monitor test results module 1010, testresults error determination module 1012, report successful test module1014, report test error module 1014, corrective action determinationmodule 1016, and corrective action module 1018. In one embodiment, thelearn network policy module 1002 learns the network policy as describedabove with reference to FIG. 6, block 602. The network access devicetest determination module 1004 determines the affected network accessdevices as described above with reference to FIG. 6, block 604. Thepredict test result module 1006 predicts the test results as describedabove with reference to FIG. 6, block 606. The inject test trafficmodule 1008 injects the test traffic as described above with referenceto FIG. 6, block 608. The monitor test results module 1010 monitors thenetwork for test results as described above with reference to FIG. 6,block 610. The test results error determination module 1012 determinesif there are any test errors as described above with reference to FIG.6, block 612. The report successful test module 1014 reports asuccessful test as described above with reference to FIG. 6, block 614.The report test error module 1016 reports the test error as describedabove with reference to FIG. 6, block 616. The corrective actiondetermination module 1018 determines if corrective action is to be takenas described above with reference to FIG. 6, block 618. The correctiveaction module 1020 takes the corrective action as described above withreference to FIG. 6, block 620.

FIG. 11 shows one example of a data processing system 1100, which may beused with one embodiment of the present invention. For example, thesystem 1100 may be implemented including a NAE 318 as shown in FIG. 3.Note that while FIG. 11 illustrates various components of a computersystem, it is not intended to represent any particular architecture ormanner of interconnecting the components as such details are not germaneto the present invention. It will also be appreciated that networkcomputers and other data processing systems or other consumer electronicdevices, which have fewer components or perhaps more components, mayalso be used with the present invention.

As shown in FIG. 11, the computer system 1100, which is a form of a dataprocessing system, includes a bus 1103 which is coupled to amicroprocessor(s) 1105 and a ROM (Read Only Memory) 1107 and volatileRAM 1109 and a non-volatile memory 1111. The microprocessor 1105 mayretrieve the instructions from the memories 1107, 1109, 1111 and executethe instructions to perform operations described above. The bus 1103interconnects these various components together and also interconnectsthese components 1105, 1107, 1109, and 1111 to a display controller anddisplay device 1115 and to peripheral devices such as input/output (I/O)devices which may be mice, keyboards, modems, network interfaces,printers and other devices which are well known in the art. Typically,the input/output devices 1115 are coupled to the system throughinput/output controllers 1117. The volatile RAM (Random Access Memory)1109 is typically implemented as dynamic RAM (DRAM), which requirespower continually in order to refresh or maintain the data in thememory.

The mass storage 1111 is typically a magnetic hard drive or a magneticoptical drive or an optical drive or a DVD RAM or a flash memory orother types of memory systems, which maintain data (e.g. large amountsof data) even after power is removed from the system. Typically, themass storage 1111 will also be a random access memory although this isnot required. While FIG. 11 shows that the mass storage 1111 is a localdevice coupled directly to the rest of the components in the dataprocessing system, it will be appreciated that the present invention mayutilize a non-volatile memory which is remote from the system, such as anetwork storage device which is coupled to the data processing systemthrough a network interface such as a modem, an Ethernet interface or awireless network. The bus 1103 may include one or more buses connectedto each other through various bridges, controllers and/or adapters as iswell known in the art.

Portions of what was described above may be implemented with logiccircuitry such as a dedicated logic circuit or with a microcontroller orother form of processing core that executes program code instructions.Thus processes taught by the discussion above may be performed withprogram code such as machine-executable instructions that cause amachine that executes these instructions to perform certain functions.In this context, a “machine” may be a machine that converts intermediateform (or “abstract”) instructions into processor specific instructions(e.g., an abstract execution environment such as a “process virtualmachine” (e.g., a Java Virtual Machine), an interpreter, a CommonLanguage Runtime, a high-level language virtual machine, etc.), and/or,electronic circuitry disposed on a semiconductor chip (e.g., “logiccircuitry” implemented with transistors) designed to executeinstructions such as a general-purpose processor and/or aspecial-purpose processor. Processes taught by the discussion above mayalso be performed by (in the alternative to a machine or in combinationwith a machine) electronic circuitry designed to perform the processes(or a portion thereof) without the execution of program code.

The present invention also relates to an apparatus for performing theoperations described herein. This apparatus may be specially constructedfor the required purpose, or it may comprise a general-purpose computerselectively activated or reconfigured by a computer program stored inthe computer. Such a computer program may be stored in a computerreadable storage medium, such as, but is not limited to, any type ofdisk including floppy disks, optical disks, CD-ROMs, andmagnetic-optical disks, read-only memories (ROMs), RAMs, EPROMs,EEPROMs, magnetic or optical cards, or any type of media suitable forstoring electronic instructions, and each coupled to a computer systembus.

A machine readable medium includes any mechanism for storing ortransmitting information in a form readable by a machine (e.g., acomputer). For example, a machine readable medium includes read onlymemory (“ROM”); random access memory (“RAM”); magnetic disk storagemedia; optical storage media; flash memory devices; etc.

An article of manufacture may be used to store program code. An articleof manufacture that stores program code may be embodied as, but is notlimited to, one or more memories (e.g., one or more flash memories,random access memories (static, dynamic or other)), optical disks,CD-ROMs, DVD ROMs, EPROMs, EEPROMs, magnetic or optical cards or othertype of machine-readable media suitable for storing electronicinstructions. Program code may also be downloaded from a remote computer(e.g., a server) to a requesting computer (e.g., a client) by way ofdata signals embodied in a propagation medium (e.g., via a communicationlink (e.g., a network connection)).

The preceding detailed descriptions are presented in terms of algorithmsand symbolic representations of operations on data bits within acomputer memory. These algorithmic descriptions and representations arethe tools used by those skilled in the data processing arts to mosteffectively convey the substance of their work to others skilled in theart. An algorithm is here, and generally, conceived to be aself-consistent sequence of operations leading to a desired result. Theoperations are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like.

It should be kept in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the above discussion, itis appreciated that throughout the description, discussions utilizingterms such as “learning,” “receiving,” “determining,” “transmitting,”“sending,” “forwarding,” “detecting,” “applying,” “injecting,”“communicating,” or the like, refer to the action and processes of acomputer system, or similar electronic computing device, thatmanipulates and transforms data represented as physical (electronic)quantities within the computer system's registers and memories intoother data similarly represented as physical quantities within thecomputer system memories or registers or other such information storage,transmission or display devices.

The processes and displays presented herein are not inherently relatedto any particular computer or other apparatus. Various general-purposesystems may be used with programs in accordance with the teachingsherein, or it may prove convenient to construct a more specializedapparatus to perform the operations described. The required structurefor a variety of these systems will be evident from the descriptionbelow. In addition, the present invention is not described withreference to any particular programming language. It will be appreciatedthat a variety of programming languages may be used to implement theteachings of the invention as described herein.

The foregoing discussion merely describes some exemplary embodiments ofthe present invention. One skilled in the art will readily recognizefrom such discussion, the accompanying drawings and the claims thatvarious modifications can be made without departing from the spirit andscope of the invention.

What is claimed is:
 1. A method comprising: receiving, by a networkautomation engine of a software defined network (SDN) controllerassociated with a dynamic virtualized network that is overlaid on aphysical network, a current network policy of the dynamic virtualizednetwork, wherein the current network policy includes a plurality ofnetwork policy elements and each of the plurality of network policyelements identifies (i) an authorized endpoint of a plurality ofauthorized endpoints within the dynamic virtualized network, (ii) anetwork access device of a plurality of network access devices withinthe dynamic virtualized network, and (iii) a port of the network accessdevice with which the authorized endpoint is associated; selecting, bythe network automation engine, a test network access device of theplurality of network access devices from which test traffic is to beinjected into the dynamic virtualized network based on one or more ofthe current network policy, a topology of the physical network and atopology of the dynamic virtualized network; determining, by the networkautomation engine, a predicted result of injection of the test trafficinto the dynamic virtualized network based on the current networkpolicy; causing, by the network automation engine, the test networkaccess device to inject the test traffic into the dynamic virtualizednetwork; monitoring, by the network automation engine, a result ofinjection of the test traffic into the dynamic virtualized network; andidentifying, by the network automation, one or more errors in connectionwith handling of the test traffic by the dynamic virtualized network bycomparing the predicted result with the result.
 2. The method of claim1, further comprising reporting, by the network automation engine, theone or more errors.
 3. The method of claim 1, wherein the dynamicvirtualized network comprises a Virtual eXtensible Local Area Network(VxLAN) and the physical network comprises a layer 3 network.
 4. Themethod of claim 3, further comprising addressing the one or more errors,by the network automation engine, by taking corrective action, includingone or more of: terminating, by the network automation engine, a VxLANsegment associated with the one or more errors; causing, by the networkautomation engine, one or more specific ports of one or more networkaccess devices of the plurality of network access devices and associatedwith the one or more errors to be disconnected; and causing, by thenetwork automation engine, a particular network access device of theplurality of network access devices to enforce a new security measureby: creating the new security measure specifying how network traffic isto be processed by the particular network access device; and applyingthe new security measure to the particular network access device.
 5. Themethod of claim 4, wherein the security measure comprises a multicastjoin filter that passes a multicast join request on a port of theparticular network access device with which an authorized endpoint ofthe plurality of authorized endpoints is associated.
 6. The method ofclaim 4, wherein the security measure comprises a multicast join filterthat drops a multicast join request on a port of the particular networkaccess device with which none of the plurality of authorized endpointsare associated.
 7. The method of clam 4, wherein the security measurecomprises an access control list on a port of the particular networkaccess device with which an authorized endpoint of the plurality ofauthorized endpoints is associated and wherein the access control listallows network traffic that includes an identifier associated with theauthorized endpoint traffic to pass through the port.
 8. The method ofclaim 7, wherein the identifier comprises a VxLAN Network Identifier(VNI).
 9. The method of clam 4, wherein the security measure comprisesan access control list on a port of the particular network access devicewith which an authorized endpoint of the plurality of authorizedendpoints is associated and wherein the access control list causesnetwork traffic that does not include an identifier associated with theauthorized endpoint to be dropped.
 10. The method of claim 4, whereinthe security measure comprises an access control list on a port of theparticular network access device with which none of the plurality ofauthorized endpoints are associated and wherein the access control listcauses network traffic that is encapsulated for the dynamic virtualizednetwork to be dropped.
 11. A non-transitory machine-readable mediumhaving embodied therein executable instructions representing a networkautomation engine, which when executed by one or more processors of asoftware defined networking (SDN) controller associated with a dynamicvirtualized network that is overlaid on a physical network perform amethod comprising: receiving a current network policy of the dynamicvirtualized network, wherein the current network policy includes aplurality of network policy elements and each of the plurality ofnetwork policy elements identifies (i) an authorized endpoint of aplurality of authorized endpoints within the dynamic virtualizednetwork, (ii) a network access device of a plurality of network accessdevices within the dynamic virtualized network, and (iii) a port of thenetwork access device with which the authorized endpoint is associated;selecting a test network access device of the plurality of networkaccess devices from which test traffic is to be injected into thedynamic virtualized network based on one or more of the current networkpolicy, a topology of the physical network and a topology of the dynamicvirtualized network; determining a predicted result of injection of thetest traffic into the dynamic virtualized network based on the currentnetwork policy; causing the test network access device to inject thetest traffic into the dynamic virtualized network; monitoring a resultof injection of the test traffic into the dynamic virtualized network;and identifying one or more errors in connection with handling of thetest traffic by the dynamic virtualized network by comparing thepredicted result with the result.
 12. The non-transitorymachine-readable medium of claim 11, wherein the method furthercomprises reporting the one or more errors.
 13. The non-transitorymachine-readable medium of claim 11, wherein the dynamic virtualizednetwork comprises a Virtual eXtensible Local Area Network (VxLAN) andthe physical network comprises a layer 3 network.
 14. The non-transitorymachine-readable medium of claim 13, wherein the method furthercomprises addressing the one or more errors by taking corrective action,including one or more of: terminating a VxLAN segment associated withthe one or more errors; causing one or more specific ports of one ormore network access devices of the plurality of network access devicesand associated with the one or more errors to be disconnected; andcausing a particular network access device of the plurality of networkaccess devices to enforce a new security measure by: creating the newsecurity measure specifying how network traffic is to be processed bythe particular network access device; and applying the new securitymeasure to the particular network access device.
 15. The non-transitorymachine-readable medium of claim 14, wherein the security measurecomprises a multicast join filter that passes a multicast join requeston a port of the particular network access device with which anauthorized endpoint of the plurality of authorized endpoints isassociated.
 16. The non-transitory machine-readable medium of claim 14,wherein the security measure comprises a multicast join filter thatdrops a multicast join request on a port of the particular networkaccess device with which none of the plurality of authorized endpointsare associated.
 17. The non-transitory machine-readable medium of clam14, wherein the security measure comprises an access control list on aport of the particular network access device with which an authorizedendpoint of the plurality of authorized endpoints is associated andwherein the access control list allows network traffic that includes anidentifier associated with the authorized endpoint traffic to passthrough the port.
 18. The non-transitory machine-readable medium ofclaim 17, wherein the identifier comprises a VxLAN Network Identifier(VNI).
 19. The non-transitory machine-readable medium of clam 14,wherein the security measure comprises an access control list on a portof the particular network access device with which an authorizedendpoint of the plurality of authorized endpoints is associated andwherein the access control list causes network traffic that does notinclude an identifier associated with the authorized endpoint to bedropped.
 20. The non-transitory machine-readable medium of claim 14,wherein the security measure comprises an access control list on a portof the particular network access device with which none of the pluralityof authorized endpoints are associated and wherein the access controllist causes network traffic that is encapsulated for the dynamicvirtualized network to be dropped.